deroko's pemem
| Download crackme.zip, 18 kb (password: crackmes.de) Browse contents of crackme.zip keygen, selfekeygen or code loader to get good key.
Difficulty: 2 - Needs a little brain (or luck) | RatingVotes: 5 View profile of deroko » |
Solutions
Solution by HMX0101, published 17. jan, 2006; download (49 kb), password: crackmes.de or browse.
HMX0101 has not rated this crackme yet.
Solution by Zaphod, published 14. jan, 2006; download (200 kb), password: crackmes.de or browse.
Zaphod has rated this crackme as quite nice.
Solution by lord_Phoenix, published 10. jan, 2006; download (36 kb), password: crackmes.de or browse.
lord_Phoenix has rated this crackme as nothing special.
Discussion and comments
| konstAnt 02. Jan 2006 | Yah I have unpacked the first and then it uses write process memory..... and makes another exe file... I don't know how to dump that need help... |
|---|---|
| Zaphod 02. Jan 2006 | I have found the serial for my name, but I don't think I can write a keygen. You don't need to dump anything - load the crackme in Olly and press F9, click "Name in all modules" and set a breakpoint on GetDlgItemTextA, press "check" in the crackme, click "Execute till return" and F8, F9 a couple of times and you are back in the crackme's new thread. By the way, type a serial with 27 characters, that will make it easier to see what is happening. |
| deroko Author 02. Jan 2006 | @konstAnt: nope there is no writeprocessmemory used here. crackme name is self-explanatory (pe-mem-execution) =) @Zaphod: keygen can be done without a problem because I've intentionaly stored all data needed by keygen into same section that can be dumped without a problem and analyzed in ida (produce asm file), other solution would be to code loader and hook important places in exe to get good key, remeber loader is also one solution and probably the easiest one =) |
| HMX0101 02. Jan 2006 | i'm trying to make a loader for this crackme, but its a little bit harder. |
| deroko Author 02. Jan 2006 | if you need any hints with loader, let me know, loader can be done in, hmmm, maybe 10-15mins when you locate hook places =) |
| Zaphod 03. Jan 2006 | deroko: Unfortunately I don't have ida and I don't know how to "code loader", so I guess I'm stuck :( |
| Tenshi 03. Jan 2006 | the source of the pemem would be intresting i think....never seen an crackme like that....good work i try myself on it ;-) |
| DeepBlue 03. Jan 2006 | It only checks the Serial by doing many operations. It doesnt first generate the correct key and checks it against the key typed in. :( So i have to reverse this shit. I have one question: The Crackme has this loop in it: MOV ECX,20 CLC JB SHORT XXXXXXX SHR EAX,1 LOOPD SHORT XXXXXXXX The JB , jumps to badboy. So we have to survive this loop. But i dont know. Am i right when i say EAX has to be ZERO, to survive this loop? |
| jB_ 03. Jan 2006 | You're right, DeepBlue. Don't be afraid, this routine is really not hard to reverse =) |
| lord_Phoenix 03. Jan 2006 | very nice crackme and very very nice idea as always ;] now i'm in reversing it.. deroko :: u can make extracting "original crackme" as target too =) |
| DeepBlue 03. Jan 2006 | I know now, why loader is better. Does anyone know a good tutorial to write a loader ? I need to read out a specific address in the proccess' area. How do i do it? |
| deroko Author 03. Jan 2006 | Shub-Nigurrath wrote a bunch of them, also there is yates tutorial on coding loaders =) Reading from target process is performed using ReadProcessMemory. |
| konstAnt 04. Jan 2006 | This is the 1st code section of the crackme: 0040D4C5 > E8 00000000 CALL crackme.0040D4CA 0040D4CA 5D POP EBP 0040D4CB 81ED 60164000 SUB EBP,crackme.00401660 0040D4D1 FFB5 FC164000 PUSH DWORD PTR SS:[EBP+4016FC] 0040D4D7 FFB5 F8164000 PUSH DWORD PTR SS:[EBP+4016F8] 0040D4DD E8 8C000000 CALL crackme.0040D56E 0040D4E2 8BB5 EC164000 MOV ESI,DWORD PTR SS:[EBP+4016EC] 0040D4E8 837E 10 00 CMP DWORD PTR DS:[ESI+10],0 0040D4EC 74 62 JE SHORT crackme.0040D550 0040D4EE 8B5E 0C MOV EBX,DWORD PTR DS:[ESI+C] 0040D4F1 039D F0164000 ADD EBX,DWORD PTR SS:[EBP+4016F0] 0040D4F7 53 PUSH EBX 0040D4F8 FF95 D5174000 CALL DWORD PTR SS:[EBP+4017D5] 0040D4FE 8985 00174000 MOV DWORD PTR SS:[EBP+401700],EAX 0040D504 8B7E 10 MOV EDI,DWORD PTR DS:[ESI+10] 0040D507 03BD F0164000 ADD EDI,DWORD PTR SS:[EBP+4016F0] 0040D50D 56 PUSH ESI 0040D50E 8B36 MOV ESI,DWORD PTR DS:[ESI] 0040D510 85F6 TEST ESI,ESI 0040D512 75 04 JNZ SHORT crackme.0040D518 0040D514 8BF7 MOV ESI,EDI 0040D516 EB 06 JMP SHORT crackme.0040D51E 0040D518 03B5 F0164000 ADD ESI,DWORD PTR SS:[EBP+4016F0] 0040D51E AD LODS DWORD PTR DS:[ESI] 0040D51F 85C0 TEST EAX,EAX 0040D521 74 27 JE SHORT crackme.0040D54A 0040D523 A9 00000080 TEST EAX,80000000 0040D528 75 0B JNZ SHORT crackme.0040D535 0040D52A 0385 F0164000 ADD EAX,DWORD PTR SS:[EBP+4016F0] 0040D530 83C0 02 ADD EAX,2 0040D533 EB 05 JMP SHORT crackme.0040D53A 0040D535 25 FFFF0000 AND EAX,0FFFF 0040D53A 50 PUSH EAX 0040D53B FFB5 00174000 PUSH DWORD PTR SS:[EBP+401700] 0040D541 FF95 D9174000 CALL DWORD PTR SS:[EBP+4017D9] 0040D547 AB STOS DWORD PTR ES:[EDI] 0040D548 ^ EB D4 JMP SHORT crackme.0040D51E 0040D54A 5E POP ESI 0040D54B 83C6 14 ADD ESI,14 0040D54E ^ EB 98 JMP SHORT crackme.0040D4E8 0040D550 FFA5 F4164000 JMP DWORD PTR SS:[EBP+4016F4] <---Here is where it jumps to the next part I unpacked and got following result. A new program that ran successfully.. And the code was like this 00401000 > $ BE 6A124000 MOV ESI,unpacked.0040126A 00401005 . 6A 04 PUSH 4 ; /Protect = PAGE_READWRITE 00401007 . 68 00100000 PUSH 1000 ; |AllocationType = MEM_COMMIT 0040100C . 68 00400000 PUSH 4000 ; |Size = 4000 (16384.) 00401011 . 6A 00 PUSH 0 ; |Address = NULL 00401013 . E8 64420000 CALL <JMP.&KERNEL32.VirtualAlloc> ; \VirtualAlloc 00401018 . A3 08604000 MOV DWORD PTR DS:[406008],EAX 0040101D . 8BF8 MOV EDI,EAX 0040101F . B9 00100000 MOV ECX,1000 00401024 . BB DEC0ADDE MOV EBX,DEADC0DE 00401029 . F8 CLC 0040102A . 1BD2 SBB EDX,EDX 0040102C > AD LODS DWORD PTR DS:[ESI] 0040102D . 33C3 XOR EAX,EBX 0040102F . AB STOS DWORD PTR ES:[EDI] 00401030 . 8956 FC MOV DWORD PTR DS:[ESI-4],EDX 00401033 . 81C3 EFBEADDE ADD EBX,DEADBEEF 00401039 . C1C3 07 ROL EBX,7 0040103C .^ E2 EE LOOPD SHORT unpacked.0040102C 0040103E . 8B1D 08604000 MOV EBX,DWORD PTR DS:[406008] 00401044 . 035B 3C ADD EBX,DWORD PTR DS:[EBX+3C] 00401047 . 33C0 XOR EAX,EAX 00401049 . 6A 40 PUSH 40 ; /Protect = PAGE_EXECUTE_READWRITE 0040104B . 68 00100000 PUSH 1000 ; |AllocationType = MEM_COMMIT 00401050 . FF73 50 PUSH DWORD PTR DS:[EBX+50] ; |Size 00401053 . 50 PUSH EAX ; |Address => NULL 00401054 . E8 23420000 CALL <JMP.&KERNEL32.VirtualAlloc> ; \VirtualAlloc 00401059 . A3 0C604000 MOV DWORD PTR DS:[40600C],EAX 0040105E . FF73 50 PUSH DWORD PTR DS:[EBX+50] 00401061 . 8F05 18604000 POP DWORD PTR DS:[406018] 00401067 . 8B4B 54 MOV ECX,DWORD PTR DS:[EBX+54] 0040106A . FC CLD 0040106B . 8B35 08604000 MOV ESI,DWORD PTR DS:[406008] 00401071 . 8B3D 0C604000 MOV EDI,DWORD PTR DS:[40600C] 00401077 . F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] 00401079 . 8B1D 0C604000 MOV EBX,DWORD PTR DS:[40600C] 0040107F . 035B 3C ADD EBX,DWORD PTR DS:[EBX+3C] 00401082 . FF73 28 PUSH DWORD PTR DS:[EBX+28] 00401085 . 8F05 1C604000 POP DWORD PTR DS:[40601C] 0040108B . 0FB74B 06 MOVZX ECX,WORD PTR DS:[EBX+6] 0040108F . 8D83 F8000000 LEA EAX,DWORD PTR DS:[EBX+F8] 00401095 > 8B70 14 MOV ESI,DWORD PTR DS:[EAX+14] 00401098 . 0335 08604000 ADD ESI,DWORD PTR DS:[406008] 0040109E . 8B78 0C MOV EDI,DWORD PTR DS:[EAX+C] 004010A1 . 033D 0C604000 ADD EDI,DWORD PTR DS:[40600C] 004010A7 . 51 PUSH ECX 004010A8 . 8B48 10 MOV ECX,DWORD PTR DS:[EAX+10] 004010AB . F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] 004010AD . 59 POP ECX 004010AE . 83C0 28 ADD EAX,28 004010B1 .^ E2 E2 LOOPD SHORT unpacked.00401095 004010B3 . 68 00400000 PUSH 4000 ; /FreeType = MEM_DECOMMIT 004010B8 . 68 00400000 PUSH 4000 ; |Size = 4000 (16384.) 004010BD . FF35 08604000 PUSH DWORD PTR DS:[406008] ; |Address = 003F0000 004010C3 . E8 BA410000 CALL <JMP.&KERNEL32.VirtualFree> ; \VirtualFree 004010C8 . 8BB3 80000000 MOV ESI,DWORD PTR DS:[EBX+80] 004010CE . 85F6 TEST ESI,ESI 004010D0 . 74 6C JE SHORT unpacked.0040113E 004010D2 . 0335 0C604000 ADD ESI,DWORD PTR DS:[40600C] 004010D8 > 837E 0C 00 CMP DWORD PTR DS:[ESI+C],0 004010DC . 74 60 JE SHORT unpacked.0040113E 004010DE . 8B56 0C MOV EDX,DWORD PTR DS:[ESI+C] 004010E1 . 0315 0C604000 ADD EDX,DWORD PTR DS:[40600C] 004010E7 . 52 PUSH EDX ; /FileName 004010E8 . E8 89410000 CALL <JMP.&KERNEL32.LoadLibraryA> ; \LoadLibraryA 004010ED . A3 10604000 MOV DWORD PTR DS:[406010],EAX 004010F2 . 8B7E 10 MOV EDI,DWORD PTR DS:[ESI+10] 004010F5 . 033D 0C604000 ADD EDI,DWORD PTR DS:[40600C] 004010FB . 56 PUSH ESI 004010FC . 833E 00 CMP DWORD PTR DS:[ESI],0 004010FF . 74 0A JE SHORT unpacked.0040110B 00401101 . 8B36 MOV ESI,DWORD PTR DS:[ESI] 00401103 . 0335 0C604000 ADD ESI,DWORD PTR DS:[40600C] 00401109 . EB 02 JMP SHORT unpacked.0040110D 0040110B > 8BF7 MOV ESI,EDI 0040110D > AD LODS DWORD PTR DS:[ESI] 0040110E . 85C0 TEST EAX,EAX 00401110 . 74 26 JE SHORT unpacked.00401138 00401112 . A9 00000080 TEST EAX,80000000 00401117 . 75 0B JNZ SHORT unpacked.00401124 00401119 . 0305 0C604000 ADD EAX,DWORD PTR DS:[40600C] 0040111F . 83C0 02 ADD EAX,2 00401122 . EB 05 JMP SHORT unpacked.00401129 00401124 > 25 FFFF0000 AND EAX,0FFFF 00401129 > 50 PUSH EAX ; /ProcNameOrOrdinal 0040112A . FF35 10604000 PUSH DWORD PTR DS:[406010] ; |hModule = NULL 00401130 . E8 3B410000 CALL <JMP.&KERNEL32.GetProcAddress> ; \GetProcAddress 00401135 . AB STOS DWORD PTR ES:[EDI] 00401136 .^ EB D5 JMP SHORT unpacked.0040110D 00401138 > 5E POP ESI 00401139 . 83C6 14 ADD ESI,14 0040113C .^ EB 9A JMP SHORT unpacked.004010D8 0040113E > 8BB3 A0000000 MOV ESI,DWORD PTR DS:[EBX+A0] 00401144 . 85F6 TEST ESI,ESI 00401146 . 74 4F JE SHORT unpacked.00401197 00401148 . 0335 0C604000 ADD ESI,DWORD PTR DS:[40600C] 0040114E . A1 0C604000 MOV EAX,DWORD PTR DS:[40600C] 00401153 . 2B43 34 SUB EAX,DWORD PTR DS:[EBX+34] 00401156 . 8BF8 MOV EDI,EAX 00401158 . FF35 0C604000 PUSH DWORD PTR DS:[40600C] 0040115E . 8F43 34 POP DWORD PTR DS:[EBX+34] 00401161 > 833E 00 CMP DWORD PTR DS:[ESI],0 00401164 . 74 31 JE SHORT unpacked.00401197 00401166 . 8B4E 04 MOV ECX,DWORD PTR DS:[ESI+4] 00401169 . 83E9 08 SUB ECX,8 0040116C . D1E9 SHR ECX,1 0040116E . 8B16 MOV EDX,DWORD PTR DS:[ESI] 00401170 . 0315 0C604000 ADD EDX,DWORD PTR DS:[40600C] 00401176 > 0FB7444E 06 MOVZX EAX,WORD PTR DS:[ESI+ECX*2+6] 0040117B . 8BD8 MOV EBX,EAX 0040117D . 81E3 00F00000 AND EBX,0F000 00401183 . 85DB TEST EBX,EBX 00401185 . 74 09 JE SHORT unpacked.00401190 00401187 . 25 FF0F0000 AND EAX,0FFF 0040118C . 03C2 ADD EAX,EDX 0040118E . 0138 ADD DWORD PTR DS:[EAX],EDI 00401190 >^ E2 E4 LOOPD SHORT unpacked.00401176 00401192 . 0376 04 ADD ESI,DWORD PTR DS:[ESI+4] 00401195 .^ EB CA JMP SHORT unpacked.00401161 00401197 > 6A 00 PUSH 0 ; /pModule = NULL 00401199 . E8 CC400000 CALL <JMP.&KERNEL32.GetModuleHandleA> ; \GetModuleHandleA 0040119E . 8BD8 MOV EBX,EAX 004011A0 . 8B1D 0C604000 MOV EBX,DWORD PTR DS:[40600C] 004011A6 . 64:67:A1 3000 MOV EAX,DWORD PTR FS:[30] 004011AB . 8958 08 MOV DWORD PTR DS:[EAX+8],EBX 004011AE . 64:67:8B26 04>MOV ESP,DWORD PTR FS:[4] 004011B4 . E8 0B000000 CALL unpacked.004011C4 ; PUSH ASCII "ExitThread" 004011B9 . 45 78 69 74 5>ASCII "ExitThread",0 004011C4 > E8 09000000 CALL unpacked.004011D2 ; PUSH ASCII "kernel32" 004011C9 . 6B 65 72 6E 6>ASCII "kernel32",0 004011D2 > E8 93400000 CALL <JMP.&KERNEL32.GetModuleHandleA> ; |\GetModuleHandleA 004011D7 . 50 PUSH EAX ; |hModule 004011D8 . E8 93400000 CALL <JMP.&KERNEL32.GetProcAddress> ; \GetProcAddress 004011DD . 50 PUSH EAX 004011DE . E8 0C000000 CALL unpacked.004011EF ; PUSH ASCII "ExitProcess" 004011E3 . 45 78 69 74 5>ASCII "ExitProcess",0 004011EF > E8 09000000 CALL unpacked.004011FD ; PUSH ASCII "kernel32" 004011F4 . 6B 65 72 6E 6>ASCII "kernel32",0 004011FD > E8 68400000 CALL <JMP.&KERNEL32.GetModuleHandleA> ; |\GetModuleHandleA 00401202 . 50 PUSH EAX ; |hModule 00401203 . E8 68400000 CALL <JMP.&KERNEL32.GetProcAddress> ; \GetProcAddress 00401208 . 8BF0 MOV ESI,EAX 0040120A . A3 24604000 MOV DWORD PTR DS:[406024],EAX 0040120F . E8 04000000 CALL unpacked.00401218 00401214 . 0000 ADD BYTE PTR DS:[EAX],AL 00401216 . 0000 ADD BYTE PTR DS:[EAX],AL 00401218 $ 6A 40 PUSH 40 ; |NewProtect = PAGE_EXECUTE_READWRITE 0040121A . 68 00100000 PUSH 1000 ; |Size = 1000 (4096.) 0040121F . 56 PUSH ESI ; |Address 00401220 . E8 63400000 CALL <JMP.&KERNEL32.VirtualProtect> ; \VirtualProtect 00401225 . BF 31604000 MOV EDI,unpacked.00406031 0040122A . B9 06000000 MOV ECX,6 0040122F . F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] 00401231 . 8B3D 24604000 MOV EDI,DWORD PTR DS:[406024] 00401237 . B0 68 MOV AL,68 00401239 . AA STOS BYTE PTR ES:[EDI] 0040123A . B8 50124000 MOV EAX,unpacked.00401250 0040123F . AB STOS DWORD PTR ES:[EDI] 00401240 . B0 C3 MOV AL,0C3 00401242 . AA STOS BYTE PTR ES:[EDI] 00401243 . A1 1C604000 MOV EAX,DWORD PTR DS:[40601C] 00401248 . 0305 0C604000 ADD EAX,DWORD PTR DS:[40600C] 0040124E . FFE0 JMP EAX <-It is where the program is moving to the real part of the crackme. But EAX value is 9F1000 00401250 . BE 31604000 MOV ESI,unpacked.00406031 00401255 . 8B3D 24604000 MOV EDI,DWORD PTR DS:[406024] 0040125B . B9 06000000 MOV ECX,6 00401260 . FC CLD 00401261 . F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] 00401263 . 6A 00 PUSH 0 ; /ExitCode = 0 00401265 . E8 24400000 CALL <JMP.&KERNEL32.ExitProcess> ; \ExitProcess So it jumps to 009F100 So the code goes: 009F1000 6A 00 PUSH 0 009F1002 E8 66210000 CALL 009F316D ; JMP to kernel32.GetModuleHandleA 009F1007 6A 00 PUSH 0 009F1009 68 22109F00 PUSH 9F1022 009F100E 6A 00 PUSH 0 009F1010 68 E7030000 PUSH 3E7 009F1015 50 PUSH EAX 009F1016 E8 5E210000 CALL 009F3179 ; JMP to USER32.DialogBoxParamA 009F101B 6A 00 PUSH 0 009F101D E8 51210000 CALL 009F3173 ; JMP to kernel32.ExitProcess And many more And the serial calculation section is: 009F114C FF75 08 PUSH DWORD PTR SS:[EBP+8] 009F114F E8 2B200000 CALL 009F317F ; JMP to USER32.GetDlgItemTextA 009F1154 83F8 04 CMP EAX,4 009F1157 0F86 11010000 JBE 009F126E 009F115D A3 EE409F00 MOV DWORD PTR DS:[9F40EE],EAX 009F1162 6A 64 PUSH 64 009F1164 68 8A409F00 PUSH 9F408A 009F1169 6A 01 PUSH 1 009F116B FF75 08 PUSH DWORD PTR SS:[EBP+8] 009F116E E8 0C200000 CALL 009F317F ; JMP to USER32.GetDlgItemTextA 009F1173 85C0 TEST EAX,EAX 009F1175 0F84 F3000000 JE 009F126E 009F117B FF35 EE409F00 PUSH DWORD PTR DS:[9F40EE] 009F1181 68 26409F00 PUSH 9F4026 009F1186 E8 EE000000 CALL 009F1279 009F118B 8BF0 MOV ESI,EAX 009F118D BF 06409F00 MOV EDI,9F4006 009F1192 B9 10000000 MOV ECX,10 009F1197 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] 009F1199 83C4 08 ADD ESP,8 009F119C 33C0 XOR EAX,EAX 009F119E B9 8A409F00 MOV ECX,9F408A 009F11A3 8841 08 MOV BYTE PTR DS:[ECX+8],AL 009F11A6 8861 11 MOV BYTE PTR DS:[ECX+11],AH 009F11A9 8841 1A MOV BYTE PTR DS:[ECX+1A],AL 009F11AC 51 PUSH ECX 009F11AD E8 720F0000 CALL 009F2124 009F11B2 A3 F2409F00 MOV DWORD PTR DS:[9F40F2],EAX 009F11B7 BE 93409F00 MOV ESI,9F4093 009F11BC 56 PUSH ESI 009F11BD E8 620F0000 CALL 009F2124 009F11C2 C1C0 07 ROL EAX,7 009F11C5 A3 F6409F00 MOV DWORD PTR DS:[9F40F6],EAX 009F11CA BE 9C409F00 MOV ESI,9F409C 009F11CF 56 PUSH ESI 009F11D0 E8 4F0F0000 CALL 009F2124 009F11D5 C1C8 09 ROR EAX,9 009F11D8 A3 FA409F00 MOV DWORD PTR DS:[9F40FA],EAX 009F11DD F8 CLC 009F11DE 1BC9 SBB ECX,ECX 009F11E0 BE 06409F00 MOV ESI,9F4006 009F11E5 BF 6D219F00 MOV EDI,9F216D 009F11EA 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] 009F11ED 8B1C38 MOV EBX,DWORD PTR DS:[EAX+EDI] 009F11F0 0FB646 03 MOVZX EAX,BYTE PTR DS:[ESI+3] 009F11F4 8B1438 MOV EDX,DWORD PTR DS:[EAX+EDI] 009F11F7 33DA XOR EBX,EDX 009F11F9 A1 F2409F00 MOV EAX,DWORD PTR DS:[9F40F2] 009F11FE 33C3 XOR EAX,EBX 009F1200 03C8 ADD ECX,EAX 009F1202 0FB646 04 MOVZX EAX,BYTE PTR DS:[ESI+4] 009F1206 8B1C38 MOV EBX,DWORD PTR DS:[EAX+EDI] 009F1209 0FB646 08 MOVZX EAX,BYTE PTR DS:[ESI+8] 009F120D 8B1438 MOV EDX,DWORD PTR DS:[EAX+EDI] 009F1210 33DA XOR EBX,EDX 009F1212 A1 F6409F00 MOV EAX,DWORD PTR DS:[9F40F6] 009F1217 33C3 XOR EAX,EBX 009F1219 03C8 ADD ECX,EAX 009F121B 0FB646 09 MOVZX EAX,BYTE PTR DS:[ESI+9] 009F121F 8B1C38 MOV EBX,DWORD PTR DS:[EAX+EDI] 009F1222 0FB646 0A MOVZX EAX,BYTE PTR DS:[ESI+A] 009F1226 8B1438 MOV EDX,DWORD PTR DS:[EAX+EDI] 009F1229 33DA XOR EBX,EDX 009F122B A1 FA409F00 MOV EAX,DWORD PTR DS:[9F40FA] 009F1230 33C3 XOR EAX,EBX 009F1232 03C8 ADD ECX,EAX 009F1234 8BC1 MOV EAX,ECX 009F1236 B9 20000000 MOV ECX,20 009F123B F8 CLC 009F123C 72 30 JB SHORT 009F126E 009F123E D1E8 SHR EAX,1 009F1240 ^ E2 FA LOOPD SHORT 009F123C 009F1242 6A 40 PUSH 40 009F1244 E8 07000000 CALL 009F1250 Ok there are three problems with this: 1) I can't unpack now... 2) I don't see any useful calculations 3) I can't find even a valid serial for my name. Will u give an example of username and serial....????? |
| deroko Author 04. Jan 2006 | well look better because there is serial calculation =) |
| lord_Phoenix 04. Jan 2006 | konstAnt :: if u want - i can give u an "extracted version" of crackme.. |
| zairon Moderator 04. Jan 2006 | To konstant: Which is the sense of your post? Lots of lines with only a single comment. Next time don't post all that code! |
| ap0x 04. Jan 2006 | You have to spot ROL/ROR instuctions when fishing serial. Look at XOR EAX,EBX and you will see it ;) e.g. user: reversingLabs serial: F5AF77AC-FB284C85-86C382A3 |
| ap0x 11. Jan 2006 | since lord_Phoenix did not submit a keygen i give you my loader... http://rapidshare.de/files/10649233/deroko.ph5.solved.rar.html ... But do this yourself it is a very nice exercise. |
| deroko Author 11. Jan 2006 | great job ap0x, that's what I was looking for :D :D |
| Zaphod 11. Jan 2006 | HA! I DID IT!! I wrote earlier that I didn't think I could write a keygen for this crackme, but I was wrong... |
| lord_Phoenix 11. Jan 2006 | congratz =) loader is a very elegant solution.. |
| deroko Author 12. Jan 2006 | @Zaphod: c'mon submit it, it would be nice to see working keygen =) |
| Zaphod 12. Jan 2006 | deroko: Can I submit a keygen without a tutorial? OK, I'll try and see if it gets accepted. |
| DeepBlue 12. Jan 2006 | From the FAQ: "We deny all solutions without a detailed tutorial!" Upload it somewhere else. |
| deroko Author 13. Jan 2006 | @Zaphod: if you ask me that's ok =) Write something, how did you get key, what is serial algo etc... I know that it was too much c/p from IDA and lord_Finix didn't write keygen, nor self-keygen nor loader so I'm waiting for your solution =) |
| HMX0101 13. Jan 2006 | my keygen is ready and working, tomorrow: write the solution, maybe can upload the saturday or sunday :) |
| Zaphod 13. Jan 2006 | deroko: I submitted my keygen, but it was rejected. Well, I guess such are the rules. Now I'm not sure I have the energy to write a tutorial, but I'll think about it. |
| ap0x 13. Jan 2006 | Elegant or not it works... You did not published your keygen, nor loader, nor any other thing that can generate serials for this crackme. You solution should have been rejected on site, but i think that there maybe some people that can not fish a serial. Btw. you failed to mantione md5+blowfish... So i don`t see how you could have coded a keygen by missing vital parts of the crackme. But please, bring some light to the subject, post your keygen. Prove us wrong... |
| deroko Author 15. Jan 2006 | @Zaphod: good =) finaly complete solution with keygen =) anyway that procedure that takes forever is md5 you could rip it from IDA because it is offset indipendent, but anyway congratz on converting all this stuff to C =) |
| Zaphod 15. Jan 2006 | deroko: I don't know what md5 is - and by the way, I don't know either what blowfish is ( ap0x mentions this above ). There is a lot to learn... |
| deroko Author 16. Jan 2006 | just some crypto stuff used to make a little bit harder crackme, but as I've mentioned all data needed to create keygen is offset-indipendent and can be ripped from IDA without knowing what is really going on =) cheers =) |
You may leave your comment, thoughts and discuss this crackme with other reversers here.
Acting childish will not be tolerated.
HTML and such will be left as-is, so don't try.